Hello all! Having worked for a while with various computer systems, primarily Active Directory and Exchange, I wanted to share some of my experiences with two objectives in mind: 1) obtain feedback to improve my mastery of those systems and 2) help others working on the same subject. Other posts are about CentOS, Citrix NetScaler, and VMware.
NOTE: most of my posts are in English but some others in French, with a summary in English. However, some of the CentOS blog posts lack this summary.

Sunday, September 11, 2016

Office 365 - hybrid configuration - change Mail Flow

As readers may have observed when consulting previous blog posts, I have an Office 365 subscription associated with on-premises Exchange servers in what is known as a hybrid deployment. Concerning mail flow, I had configured the MX records so that incoming messages would be directed to my on-premises Exchange servers (after 1 to 1 NAT at the perimeter firewall and transiting by a Citrix NetScaler VPX load balancer). This configuration has a significant disadvantage: I do not benefit from the antimalware and antispam services of Exchange Online Protection. This is less critical in a practice or test environment where the future of the business is not at stake, but after my test users started receiving suspicious emails (apparently someone is reading my blog... ), I thought is would be prudent to adjust mail flow so that incoming messages are routed to Exchange Online and, when necessary, forwarded to on-premises mailboxes via the organization send and receive connectors configured for Office 365.

According to the sources I consulted, it would be a simple matter of changing my MX records and then re-running the Office 365 Hybrid Configuration Wizard.

For more information on this wizard, you can consult this previous blog post:

For this step, we have to use whatever interface we normally use to manage our DNS records. In my case, this would be No-IP which I will use as an example.

Note: I have edited the images (screenshots) below to conceal certain details.

So I log in and go to the "Manage Domains" section...

I select the domain associated with the MX records that I want to change:

We have a number of "hosts" which are essentially A records (or CNAME). In the No-IP management interface, we have to open the A record to see any associated MX records. Since my email address uses the format "someone@mitserv.net", I will modify the A record (in fact the associated MX record) for "mitserv.net" (click on the "Modfiy" icon):

In the following screen, we have to scroll to the very bottom where we see the section for MX records. This is what was configured before the modification:

The MX record (which is not displayed as in other interfaces - it seems that we do not see the record itself) points to the A record for "mail.mitserv.net" which in turn points to the external IP address of my test network (where 1 to 1 NAT forwards incoming messages to my Citrix NetScaler VPX).

Regardless, I change the MX record so it points to the following A record:

But wait! Where did I find that record?

We have to access our Office 365 account and in the Admin center, we click on "Domains":

I select my domain:

Here is the MX record that should be entered:

Run the Office 365 Hybrid Configuration Wizard (again)

Please consult the blog post referenced in the hyperlink above.

We repeat exactly the same steps with one exception:

We do not check the "Enable centralized mail transport" option.

***

And that's all.

Additional testing confirmed that incoming messages are routed to Office 365 instead of the on-premise servers. If the test user has a mailbox hosted by Office 365 (Aisha Bhari), the message is delivered directly. If the test user has a mailbox that is still hosted by an on-premises server (Alannah Shaw), Exchange Online forwards the message to that final destination via the send and receive connectors configured for the hybrid deployment.